The Changes to Cyber Essentials

For those of you that aren’t familiar, the Cyber Essentials Scheme was introduced by the UK government in 2014 as an attempt to assist organisations in improving the quality of their secure controls, and to protect against the ever-growing cyber threat that we are all facing.

The scheme is centred around five key controls, which are as follows:

Access control

You must make sure that only those who need access to specific information in your organisation has it, and then, going a step further, you must ensure that this is monitored and checked regularly.

Secure Configuration

You must select and apply the most secure settings for all of your devices and software. One way you can do this is by changing passwords and removing unused accounts and software as soon as possible.

Software Updates

You must ensure that your software and operating systems are regularly updated with the latest patches to ensure that they are protected against all the latest  vulnerabilities.

Malware Protection

You must reduce the likelihood of being infected by any form of malware, including computer viruses, spyware, botnet software, and ransomware. This can be done by ensuring you have correctly installed anti-malware software that only allows trusted applications which pose little threat of containing Malware.

Firewalls

You must use Firewalls to create a ‘buffer zone’ to allow you to analyse traffic looking to gain access to your network – Firewalls will establish whether or not any traffic should be allowed to pass through the gateway to your data.

 

The Cyber Essentials scheme offers two levels of certification, both of which ensure the security of your organisation – the only difference is that one is more extensive than the other. They are as follows:

Cyber Essentials involves a self-assessment questionnaire – carried out online – which is independently assessed by a governing body.

Cyber Essentials Plus is very similar but it requires a slightly more extensive examination process to ensure that not only is the IT infrastructure secure but that the cyber solutions you have in place comply with the requirements of the Scheme.

The scheme has recently been updated and some of the requirements have changed in order to boost the levels of security your organisation achieves.

 

Why Were Changes Made?

Since its conception in 2014, cyber threats have advanced and increased in commonality – amendments had to be made to address the ever-changing nature of cyber threats and the way we work. The scheme undergoes regular reviews to ensure that it continues to add value to your security solutions.

Specifically, the last update reflects our increased adoption and reliance on Cloud services, alongside the rapid increase in home and hybrid working that the pandemic brought in its wake. These changes have brought with them additional security threats that desperately need addressing if you want your organisation to remain secure.

For example, due to the increasing number of attacks on Cloud services, using techniques to steal users’ passwords to access their accounts, the Scheme’s technical controls have been evaluated and strengthened, bringing a focus on multi-factor authentication and password management tools – enabling you to combat these evolving threats and remain secure.

What Controls Need to Be Implemented to Ensure You Comply?

• Multi-Factor Authentication (MFA) Must Be Used For Access To Cloud Services

MFA is required to provide additional protection to accounts when connecting to Cloud services. The Cyber Essentials accreditation expects you to have at minimum two types of credentials before being able to access an account.

 

• Password and MFA Requirements

In order to protect against brute-force password guessing, The Cyber Essentials Scheme requires that additional protection is implemented in the form of MFA, so that you can monitor the number of guessed attempts at passwords, or you can lock accounts when there have been a maximum of 10 unsuccessful attempts.

 

• Software Licensing, Support, Updating and Removal

The new updated Cyber Essentials requirement requires your organisation to ensure that all software on your in-scope devices is fully licensed and supported. The software must also be removed from devices when it becomes unsupported, because not doing this will leave your systems vulnerable.

You must have automatic updates enabled wherever possible. One of the key changes is that if a vendor defines an update as ‘critical’ or ‘high risk’ then you must apply them within 14 days of their release.

 

• Device Locking for Physically Present Users

One of the new requirements is centred around device unlocking – you must now use biometrics or a password of at least six characters in length to physically unlock a device.

The credentials on an account need to be protected against cyber attacks. This can be done by limiting the number of opportunities the criminals have by only permitting a certain number of guesses in a set amount of time. You can go one step further by locking devices when there has been a certain number of unsuccessful attempts.

 

What are the Key Changes You Will See When Completing the Questionnaire?

Those of you that are familiar with the current look and feel of the Cyber Essentials Questionnaire will be glad to hear that the new one isn’t too different. There are – of course – new questions, but the majority were originally part of a question that now have been given their own question status. The new questions come with some requirements, and are as follows:

You must:

  •          List all Cloud services that you use which are provided by third parties.
  •          Detail how firewall controls are applied on BYOD devices, that are not connected to your internal network.
  •          Ensure that there are locking arrangements on end devices which have access to software and services installed.
  •          Describe methods for unlocking devices and measures for protecting against all manner of cyber attacks.
  •          Describe how you protect accounts from cyber attacks regarding password guessing in your organisation.
  •          Describe the technical controls you use to manage the quality of your passwords within your organisation.
  •          Explain how you encourage people to use unique and strong passwords.

 

What Changes Were Made to Cyber Essentials Plus?

All of the security control requirements we outlined above for the standard Cyber Essentials certification also apply to the Plus version – but the Plus certification has now got two new additional tests as part of the assessment process. In the first the assessor will be looking out for confirmed account separation between user and administrative accounts, and the second will involve the assessor looking to confirm your organisation has successfully implemented multi factor authentication in order to access Cloud services.

The changes – as inconvenient as they may be – run parallel with the cyber security requirements of your organisation. As they grow in sophistication, complexity, and effectiveness, your cyber security measures have to do the same, and Cyber Essentials ensures that you do this effectively.

 

https://www.datek.co.uk/contact

Your proactive IT support specialists

Our team of experts can offer all of the above and more. We will take time getting to know you, your team, the way you like to do business, and your goals and visions for the future. Our team of experts will work with you to find a cyber strategy that compliments the way you do business and ensures that you are constantly up-to-date with the latest tech that is beneficial to you. We will also educate your team to be sure that they understand the strategy and are fully equipped to use the tools to their full capabilities. With our help you can go into the future confident that your systems are up-to-date, fit for purpose, and secure. Get in contact now and speak to one of our professionals to find out what we can do for you.